Skip to content

HTTP/2: per-iteration stream handling limit. #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ghen2 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

HTTP/2: per-iteration stream handling limit. #7

ghen2 wants to merge 1 commit into from

Conversation

@ghen2
Copy link

@ghen2 ghen2 commented Oct 23, 2023

Please consider this patch for CVE-2023-44487: HTTP/2 Rapid Reset Attack, taken from nginx@6ceef19. It applies cleanly to Zimbra's nginx 1.20 branch.

We're running this patch in production.

@mdounin @ghen2
HTTP/2: per-iteration stream handling limit.
3d02b6e 
To ensure that attempts to flood servers with many streams are detected
early, a limit of no more than 2 * max_concurrent_streams new streams per one
event loop iteration was introduced.  This limit is applied even if
max_concurrent_streams is not yet reached - for example, if corresponding
streams are handled synchronously or reset.

Further, refused streams are now limited to maximum of max_concurrent_streams
and 100, similarly to priority_limit initial value, providing some tolerance
to clients trying to open several streams at the connection start, yet
low tolerance to flooding attempts.
@ghen2 ghen2 mentioned this pull request Oct 23, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ghen2 @mdounin